Hello, thank you for the script.
Unfortunately, I don't have access to root management-group, but I do have access to some management-group under we have the actual sub-tree we want the report for.

May you improve the script to be able to run on any management-group by id?

Thank you.

Hi,
i've cloned the repository and only changed the 2 neccesary variables (service account and management group), but i'm getting this error running the pipeline in devops (microsoft agents):

ConvertFrom-Json: /home/vsts/.local/share/powershell/Modules/AzAPICall/1.1.13/functions/AzAPICallFunctions.ps1:260
Line |
260 | … RequestConvertedFromJson = ($azAPIRequest.Content | ConvertFrom-Json)
| ~~~~~~~~~~~~~~~~
| Cannot convert the JSON string because it contains keys with
| different casing. Please use the -AsHashTable switch instead.
| The key that was attempted to be added to the existing key
| 'StorageAccount' was 'storageAccount'.

##[error]PowerShell exited with code '1'.

I've read the documentation and didn't see anything about this, could you help me?, thanks.

Regards.

Hello, I cannot seem to get the script running. The issue I'm having is the following error which stops the script:

Get-AzRoleDefinition: /mnt/c/code/Azure-MG-Sub-Governance-Reporting/pwsh/AzGovViz.ps1:10223
 Line |
10223 |  … finitions = Get-AzRoleDefinition -Scope "/subscriptions/$Subscription …
      |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      | Object reference not set to an instance of an object.

Before that, I get the following output which already looks wrong to me due to the SubscriptionId:
OK Subscription context (QuotaId not 'AAD_*') for Definition Caching (SubscriptionId: ; QuotaId: EnterpriseAgreement_2014-09-01 EnterpriseAgreement_2014-09-01 [...] many more

I'm reader on Management Root Group level and executing the script after login via Connect-AzAccount. There are multiple lower management groups and multiple subscriptions. When I start the script, I also get Access test passed: ManagementGroupId 'xxx' is accessible.

I'm also wondering why I don't get any console output for $checkContext.Subscription.Id after doing $checkContext = Get-AzContext -ErrorAction Stop.

Get-AzContext -ListAvailable gives

Name                                     Account                                    SubscriptionName                           Environment                               TenantId
----                                     -------                                    ----------------                           -----------                               --------
xx-ID1 - …                               [email protected]                                                                               AzureCloud                                xx-ID1

Looks like it's not handling the multi-thread write to the html file smoothly.

The resulting output has the hierarchy diagram but no details.

Error with Redactions

Can we start to highlight quotas in the subs or within the limits area. In the event that you are running hot and need more capacity will the region / dc allow for the request

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits

Thanks for developing such a great tool, its very powerful. I may have found a potential information disclosure vulnerability with AzGovViz when run on Azure DevOps pipelines in the method documented.

Take the scenario below

• AzGovViz is run in Azure DevOps pipelines (as documented here )
• The Azure DevOps project has the setting "Limit job authorization scope to current project for non-release pipelines" off (required for cross-project access from build agents)
• The AzGovViz repo has write access granted to DevOps build agents as documented here and here

In the scenario above, anyone with access to run a job on a build agent within the entire DevOps org (any Project) as the ability to overwrite the AzGovViz script with a script of their choosing. As this runs with high level tenant reader rights, it could lead to unintended information disclosure.

There is a warning on the DevOps doco about this, however its obscure (e.g. a sys admin may setup AzGovViz not knowing that this setting is enabled in DevOps which gives essentially high level reader rights in the tenant to anyone who can access a build agent).

There could be a couple of solutions here

• to have the script in one repo (which is read-only to DevOps build agents) and the output in another repo (which is writable by DevOps build agents). This protects the integrity of the script. However a note that anyone who can run a build can still view the contents of the "output" repo.
• Update the AzGovViz install steps to reference this setting and warn of the impact, and to use the multi-repo model for script protection.

Pipeline failed with bellow error when trying to run on a large tenant and I've verified microsoft.insights is registered on subscription:

!Please report at aka.ms/AzGovViz and provide the following dump
getDiagnosticSettingsSub for Subscription: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - try #1; returned: (StatusCode: '404') <.code: ''> <.error.code: 'InvalidResourceType'> | <.message: ''> <.error.message: 'Resource type 'diagnosticSettings' of provider namespace 'microsoft.insights' was not found in global location for api version '2021-05-01-preview'.'> - (plain : @{error=}) - EXIT
Parameters:
accountType:ServicePrincipal
azAccountsVersion:n/a
azAPICallModuleVersion:1.1.12
codeRunPlatform:AzureDevOps
debugAzAPICall:False
debugWriteMethod:Host
DoAzureConsumption:False
DoNotIncludeResourceGroupsAndResourcesOnRBAC:False
DoNotIncludeResourceGroupsOnPolicy:False
DoNotShowRoleAssignmentsUserData:False
DoPSRule:False
gitHubRepository:aka.ms/AzGovViz
HierarchyMapOnly:False
LargeTenant:True
ManagementGroupsOnly:False
NoJsonExport:False
NoMDfCSecureScore:False
NoPolicyComplianceStates:True
NoResourceProvidersDetailed:True
NoResources:True
onAzureDevOps:True
onAzureDevOpsOrGitHubActions:True
onGitHubActions:False
PolicyAtScopeOnly:True
ProductVersion:v6_major_20220521_1
psVersion:7.2.3
RBACAtScopeOnly:True
subscriptionQuotaId:EnterpriseAgreement_2014-09-01
userType:n/a
writeMethod:Host
Exception: /home/vsts/work/1/s/pwsh/AzGovVizParallel.ps1:3665
Line |
3665 | $batch.Group | ForEach-Object -Parallel {
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Error - check the last console output for details

##[error]PowerShell exited with code '1'.

Hello,
We have an issue while using this. We have several student subscriptions in our tenant, and when trying to run the pipeline i get this.

Current AzContext OK: NAU Initial Subscription; 9a0b8e1e-fa67-496f-894d-cffe55d90d07; QuotaId: EnterpriseAgreement_2014-09-01
Getting Consumption data for scope: '' for period 1 days (2021-06-24 - 2021-06-24)
Getting Consumption data for scope: '' for period 1 days (2021-06-24 - 2021-06-24) - try #1; returned: <.code: ''> <.error.code: 'BadRequest'> | <.message: ''> <.error.message: 'Cost management data is unavailable for subscription b1739bfa-c40b-438b-becf-012f32ac9e41. The offer MS-AZR-0170P is not supported. (Request ID: c7ad409d-dc9b-4eaa-a3d0-f101bf95b5d1)'> - (plain : @{error=}) investigate that error!/exit
AzAPICall: /home/vsts/work/1/s/pwsh/AzGovVizParallel.ps1:18719
Line |
18719 | … ptionData = AzAPICall -uri $uri -method $method -body $body -currentT …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Error

##[error]PowerShell exited with code '1'.

An issue could exist when using PSRule integration and the repository already has PSRule configured using the ps-rule.yaml options file.

We should override the invoke command line to ensure that detailed output is returned, which is required for data collection.

Learning the project, but got this on my test Tenant and am following directions. Could easily be PEBKAC.

Building TenantSummary
processing (pre) TenantSummary RoleAssignments (all 5)
RelatedPolicyAssignmentsAll duration: 6.562E-05 minutes (0.0039372 seconds)
Processing unresoved Identities (createdBy)
1 unresolved identities that created a RBAC Role assignment (createdBy)
0 unresolved identities that have a value
IdentitiesToCheck: ""

!Please report at aka.ms/AzGovViz and provide the following dump
resolveObjectbyId RoleAssignment - try #1; returned: (StatusCode: '') <.code: ''> <.error.code: 'Request_BadRequest'> | <.message: ''> <.error.message: 'Invalid GUID:'> - (plain : @{error=}) - EXIT

wip - Meanwhile use parameter:
$ExludedResourceTypesDiagnosticsCapable = @("microsoft.web/certificates", "mailjet.email/services")

Hello
We have 260 subscriptions, I get error "returned: (StatusCode: '') '429' | 'Too many requests. Please retry after 60 seconds." when running script at the tenant root level

Checking AAD UserType
Checking AAD UserType - try #1; returned: <.code: ''> <.error.code: 'Authorization_RequestDenied'> | <.message: ''> <.error.message: 'Insufficient privileges to complete the operation.'> - (plain : @{error=}) investigate that error!/exit
Exception: D:\Tools\1.ps1:661
Line |
661 | … Throw "Error - check the last console output for details" …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Error - check the last console output for details

Hi,

I've run this over an ESLZ environment that I have deployed, with a user that has 'Reader' permissions at the 'blah' MG, and get the following error:

Invoke-WebRequest: /Users/blah/temp code/Azure-MG-Sub-Governance-Reporting/pwsh/AzGovVizParallel.ps1:1043:33 Line | 1043 | … PIRequest = Invoke-WebRequest -Uri $uri -Method $method -body $body - … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | {"error":{"code":"BadRequest","message":"Management group blah does not have any valid subscriptions. (Request ID: 57b66136-e3bb-487d-b09f-stuff)"}}

Command to run the script:
./AzGovVizParallel.ps1 -ManagementGroupId 'blah' -StatsOptOut -OutputPath '..\output\'
I've got a lot of data out successfully, but not sure whether I'm missing something else.

Any ideas what to check?

Is it possible to publish the output of this script on MS Teams as well in the future?

I cloned the repo and wanted to run the AzGovViz.ps1 script but it gives me the following error:

Unexpected token '}' in expression or statement. (linenumber 11232,13)

Hi there,
first of all thanks for AzGov, I am wondering if you have a chance to execute it towards Az China Cloud. I am facing some issues once trying to execute it using SPN with all the Reader rights (Application) on the MS Graph and Azure level.
Any idea what might be a reason here and how to move forward? thanks much

CustomDataCollection ManagementGroups
getRoleAssignments CustomDataCollection Mg /providers/Microsoft.Management/managementGroups/xxx-xxx-xxx-xxx #7 'Unexpected Error' occurred 'Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.' - Please report this error/exit
Exception: AzGovVizParallel.ps1:1767:5

currently the script may be stuck with the following error:
Blueprint definitions MG '<MGId>' ('<MGName>') - try #4; returned: (StatusCode: '') <.code: ''> <.error.code: 'GatewayTimeout'> | <.message: ''> <.error.message: 'The gateway did not receive a response from 'Microsoft.Blueprint' within the specified time period.'> - try again in X second(s)

awaiting mitigation..

My previously working pipeline just started failing with the following errors:

2020-12-14T17:57:08.3508433Z �[96mLine |
2020-12-14T17:57:08.3508916Z �[96m   3 | �[0m �[96m. '/home/vsts/work/1/s/pwsh/AzGovViz.ps1' -ManagementGroupId cbe94afc�[0m …
2020-12-14T17:57:08.3509476Z �[96m     | �[91m ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-12-14T17:57:08.3510014Z �[91m�[96m     | �[91mAzModule test failed: cmdlet Search-AzGraph not available -
2020-12-14T17:57:08.3510528Z �[96m     | �[91mmake sure the modules Az.Accounts, Az.Resources,
2020-12-14T17:57:08.3510996Z �[96m     | �[91mAz.ResourceGraph are installed
2020-12-14T17:57:08.3511323Z �[0m

I'm wondering if something changed in the default Azure DevOps agent environment that now needs to be accounted for in the powershell script?

Hello Julian,
Received this error below trying to run the PowerShell command against our tenant.

!Please report at aka.ms/AzGovViz and provide the following dump
Getting Consumption data (scope Sub NAU DBA Online Subscription 'Removed for Online' (EnterpriseAgreement_2014-09-01)) - try #1; returned: (StatusCode: '') <.code: ''> <.error.code: 'NotFound'> | <.message: ''> <.error.message: 'Cost management data is not supported for subscription(s) "Removed for Online" in the provided api-version. Please use api-version 2019-10-01 or later. (Request ID: cdd84ec7-e0d5-4bd1-99e6-632870d34630)'> - (plain : @{error=}) - EXIT
Exception: C:\Scripts\AzGovViz\AzGovVizParallel.ps1:19735
Line |
19735 | … $subsToProcessInCustomDataCollection | ForEach-Object -Pa …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Error - AzGovViz: check the last console output for details

Hello ,

This is not an issue but more of an query .Is it possible for you to point out at what point the HTML Is pulling code for "LinkedIn" and Github profile icon/link on top left hand corner? I would like to have it more streamlined with external links.

Thankx
Bagelcoffee

When calling Export-Csv, it defaults to add double quotes to each cell, and this creates problems when using it as a data source in PowerBI.

Adding the parameter ""-UseQuotes AsNeeded" to the 2 Export-Csv calls will remove adding the double quotes, and then the resulting CSV is easily used in PowerBI.

Was just reading through the doc and noticed the misspelling for the word schedule, bolded and italicized below:

Azure DevOps Pipeline
The provided example Pipeline is configured to run based on a shedule (every 6 hours). It will push the AzGovViz markdown output file to the 'wiki' folder in the 'Azure-MG-Sub-Governance-Reporting' Repository which will feed your Wiki.

Looking forward to testing this script out!

recent Az.ResourceGraph release seems to break the script execution.

Cannot validate argument on parameter 'Subscription'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

A bit earlier than planned, but now releasing the new version v5_major_20210505_5

After setting:

Define if Azure Consumption data should be reported

• name: DoAzureConsumption

  Switch | example: value: true

  value: true

I get these messages in the log: (ids replaced with )

2022-05-25T07:08:52.4227102Z Getting Consumption data (scope MG '') for period 1 days (2022-05-24 - 2022-05-24)
2022-05-25T07:08:53.8543010Z Getting Consumption data (scope MG '') for period 1 days (2022-05-24 - 2022-05-24) - try #1; returned: (StatusCode: '400') <.code: ''> <.error.code: 'BadRequest'> | <.message: ''> <.error.message: 'Management group does not have any valid subscriptions. (Request ID: )'> - (plain : @{error=}) seems there are no valid Subscriptions present - skipping CostManagement
2022-05-25T07:08:53.8561133Z Seems there are no valid Subscriptions present - skipping CostManagement
2022-05-25T07:08:53.8562085Z Action: Setting switch parameter 'DoAzureConsumption' to false
2022-05-25T07:08:53.8569848Z Getting Consumption data duration: 1.4344381 seconds

Invoke-WebRequest: /home/vsts/.local/share/powershell/Modules/AzAPICall/1.1.12/functions/AzAPICallFunctions.ps1:170
Line |
170 | … PIRequest = Invoke-WebRequest -Uri $uri -Method $method -Body $body - …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"error":{"code":"BadRequest","message":"Management group
| does not have any valid subscriptions. (Request ID:
| )"}}

Get-Package: No match was found for the specified search criteria and module names
'PSRule.Rules.Azure'.

Get-Package: No match was found for the specified search criteria and module names
'AzAPICall'.

Running in Azure Devops.

Please advise.

Is there a way that we can incorporate service deprecation into AzGovViz .. with a potential pass / fail or a flag on impacted resource which customer may be running?

https://azure.microsoft.com/en-us/updates/?updateType=retirements

Tried to run this tool on our tenant root group and it just hangs - killed it after 8 hours.
Used the AAD tenant ID as the mgmt group ID.

Should this work on tenant root group?
Does work on lower level mgmt groups.

Can you change the Could you include the CSS and secondary JS files in the code tree? I'm trying to view an older run report and the changes you're making to the CSS are breaking old reports.

This would also allow for custom styles.

Another approach would be to version the CSS down to sub-version (azgovvisv30r3 vs azgovvisv3), but I'd still like to see secondary files includes.

Afternoon,

When running the report in AzDO we are getting the following output:

2021-08-11T01:01:23.6063201Z  Getting Consumption data for scope: '?????_Root' for period 1 days (2021-08-10 - 2021-08-10) - try #1; returned: <.code: ''> <.error.code: 'BadRequest'> | <.message: ''> <.error.message: 'Cost management data is unavailable for subscription XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. The offer MS-AZR-0243P is not supported. (Request ID: 3a1bf49f-1d64-410d-b632-1a27abac95cd)'> - (plain : @{error=}) investigate that error!/exit

The sub is disabled and will eventually disappear which should fix this on its own. Is there a way to fix this before then? Disabled subs can take a while to disappear.

Hi - First time using the AzGovViz tool. Running under a B2B guest account that has been granted AAD Global Reader role and Azure Reader role at root management group.

Script ran to this point and had error. Attaching full console output.
...........
Collecting custom data duration: 1.71531709166667 minutes (102.9190255 seconds)
Collecting custom data for 11 ManagementGroups Avg/Max/Min duration in seconds: Average: 8.3249; Maximum: 12.2845; Minimum: 4.6978
Collecting custom data for 35 Subscriptions Avg/Max/Min duration in seconds: Average: 10.5512; Maximum: 17.9478; Minimum: 8.5202
Collecting custom data total duration writing the subResourcesArray: 0.011296 seconds
Collecting custom data APICalls (Management) total count: 694 (0 retries; 0 nextLinkReset)
Preparing Arrays
Preparing Arrays duration: 0.007814005 minutes (0.4688403 seconds)
Resolving AAD Groups (for which a RBAC Role assignment exists)
processing 216 AAD Groups with Role assignments (indicating progress in steps of 20)
InvalidOperation:
Line |
5 | … $script:htAADGroupsDetails.($aadGroupId).Id = $aadGroupId …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The property 'Id' cannot be found on this object. Verify that the property exists and can be set.
azgovviz-errorout.txt

Any assistance on troubleshooting greatly appreciated!

Brian

[email protected]

Permissions test failed: Your AzDO ServiceConnection seems to
| lack 'Azure Active Directory API' Read permissions. Please
| check the documentation:

However when I try and grant this I get the warning:

Azure Active Directory Graph will be deprecated in June 2022. We recommend using Microsoft Graph APIs for your application. If you are currently using Azure Active Directory Graph, please migrate to Microsoft Graph.

Have I misunderstood which permission I should be granting?

##[debug]system.culture=en-US
##[debug]errorActionPreference=stop
##[debug]failOnStderr=false
##[debug]ignoreLASTEXITCODE=false
##[debug]workingDirectory=/home/vsts/work/1/s
##[debug]check path : /home/vsts/work/1/s
##[debug]targetType=inline
##[debug]script=mkdir /home/vsts/wiki
cd /home/vsts/wiki
$TeamProjectUriFormat = [uri]::EscapeDataString("sfes")
git clone -c http.extraheader="AUTHORIZATION: bearer ***" https://dev.azure.com//$TeamProjectUriFormat/_git/wikiRepo
...
/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -Command . '/home/vsts/work/_temp/9358e2e0-ba52-4b95-a970-a04db5d7b54b.ps1'
Cloning into 'wikiRepo'...
remote: TF401019: The Git repository with name or identifier wikiRepo does not exist or you do not have permissions for the operation you are attempting.
fatal: repository 'https://dev.azure.com//sfes/_git/wikiRepo/' not found
install Az.ResourceGraph
##[debug]$LASTEXITCODE: 128

The wikiRepo Git does, in fact, exist. The build service has full permissions to both repos. Interestingly, the logs mistakenly add an extraneous ' to the end of the URL for the wikiRepo git. But I don't know if this is related....

Getting the following error trying to run the pipeline: AzGovViz.yml (Line: 36, Col: 1): Unexpected value 'schedules'

Hi,

I adopted the job step "Publish HTML to WebApp" as you can see below;

  jobs:
    AzGovViz:
      runs-on: ubuntu-latest
      environment: 'ssc-np'
      env:
        scope: '*****'
      steps:
  
        # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
        - name: Checkout Internal Repository
          uses: actions/checkout@v3
        - name: Checkout JulianHayward/Azure-MG-Sub-Governance-Reporting
          uses: actions/checkout@v3
          with:
            repository: JulianHayward/Azure-MG-Sub-Governance-Reporting
            ref: v6_major_20220521_1
            clean: 'false' # Needed to add this otherwise the previous repo download is deleted first
  
        - name: Connect Azure
          uses: azure/login@v1
          with:
            creds: ${{secrets.CREDS}}
            enable-AzPSSession: true 
 
        - name: Check prerequisites
          uses: azure/powershell@v1
          with:
            inlineScript: |
              . .\$($env:ScriptDir)\$($env:ScriptPrereqFile) -OutputPath ${env:OutputPath}
            azPSVersion: "latest"
  
        - name: Run AzGovViz
          uses: azure/powershell@v1
          with:
            inlineScript: |
              . .\$($env:ScriptDir)\$($env:ScriptFile) -ManagementGroupId ${env:ManagementGroupId} -ScriptPath ${env:ScriptDir} -OutputPath ${env:OutputPath} -DoAzureConsumption -AzureConsumptionPeriod 28 -DoTranscript -ChangeTrackingDays 28
            azPSVersion: "latest"
        
        - name: Publish HTML to WebApp
          if: env.WebAppPublish == 'true'
          uses: azure/powershell@v1
          with:
            inlineScript: |
              --> Import-Module -Name AzAPICall <--
              $azAPICallConf = initAzAPICall -DebugAZAPICall $true
              $currentTask = "AzAPICall - Check if WebApp ($($env:WebAppName)) has Authentication enabled"
              $uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/subscriptions/$($env:WebAppSubscriptionId)/resourceGroups/$($env:WebAppResourceGroup)/providers/Microsoft.Web/sites/$($env:WebAppName)/config/authsettings/list?api-version=2021-02-01"
              $method = 'POST'
              $request = AzAPICall -AzAPICallConfiguration $azAPICallConf -uri $uri -method $method -currentTask $currentTask -listenOn 'Content'
              $authStatus = $request.properties.enabled
              Write-Host "WebApp ($($env:WebAppName)) has Authentication enabled: $authStatus"
              if ($authStatus) {..........

If I leave out the "Import-Module -Name AzAPICall" then I received the error in the screenshot below. Not sure if this is an intermittent error, but adding the import-module surely fixed it for me.

Can we add a last updated / refreshed time stamp on the HTML output.

Hi Julian,
I just ran the Script with just the "-ManagementGroupId" parameter and it ran through to the end, receiving all kind of information, but then failing here:

Create ht for JSON
 ht for JSON creation duration: 5.4090404 seconds
 Build JSON
Set-Content: C:\Users\User\Downloads\AzGovVizParallel.ps1:21250
 Line |
21250 |  … Converted | Set-Content -LiteralPath "$($outputPath)$($DirectorySepar …
      |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      | Die Syntax für den Dateinamen, Verzeichnisnamen oder die Datenträgerbezeichnung ist falsch. :
      | 'C:\Users\User\Downloads\JSON\Definitions\PolicyDefinitions\Custom\Mg\OID-REDACTED (Tenant Root
      | Group)\postgress db requires tag "classification" (OID-REDACTED).json'

This file probably cannot be created because the path is either too long and/or contains quotes.

Describe the bug

When I add two whitelisted quota IDs to the AzGovViz.variables.yml file the report finds no matching subscriptions. If I use either one of the parameters by itself I get the expected result from the pipeline.

To Reproduce

Use this code in the AzGovViz.variables.yml file:

# Processes only Subscriptions that startWith the given QuotaIds
  - name: SubscriptionQuotaIdWhitelistParameters
    type: object
    # example:
    #   default:
    #     - MSDN_
    #     - EnterpriseAgreement_
    default:
      - EnterpriseAgreement_
      - MSDNDevTest_
    

Additional context

In the pipeline when the "Create Arguments String" step runs it puts single quotes around all the argument values in the argument string. Putting those single quotes around the values for SubscriptionQuotaIdWhitelist parameter makes the script treat it like a string instead of an array.

I hacked the pipeline to force an argument string that didn't have the single quotes around the whitelisted subs and it worked.

Not working:

Build Script Arguments String...

Arguments String: -ManagementGroupId '00a9f7b2-9733-42fa-9b43-3ffc9f5d132d' -CsvDelimiter ';' -OutputPath 'wiki' -SubscriptionQuotaIdWhitelist 'EnterpriseAgreement_, MSDNDevTest_' ...

Working:

Build Script Arguments String...

Arguments String: -ManagementGroupId '00a9f7b2-9733-42fa-9b43-3ffc9f5d132d' -CsvDelimiter ';' -OutputPath 'wiki' -SubscriptionQuotaIdWhitelist EnterpriseAgreement_, MSDNDevTest_ ...

Using latest version I got this error:

ParserError: /home/----/AzGovVizParallel.ps1:216
Line |
216 | … ata-ga-click="(Logged out) Header, go to Features">Features <span cla …
| ~
| The '<' operator is reserved for future use.

pwsh version 7.1.3

Should we be calling out app reg, admin portal and LinkedIn account connections into the Active Directory view?

since yesterday the AzGovViz Pipeline in AzureDevOps is failing as the BearerToken cannot be read from the tokenCache. Investigation ongoing.

I have come across a number of instances where the long file names are causing issues with customers when trying to share the repo in a zip - this is most acutely affected in Windows machines.
Is there a way that we can possibly shorten the name, possibly only using the first 6-9 characters of the tenant id?

There is a missed step in the step by step guide:

After you create the app registration, there is a need to give it the reader rights before moving to the config in ADO, else when you create the connection in ADO and click verify it fails./

https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/blob/master/setup.md#azure-portal

Using Azure DevOps Pipeline:
seems for newer pipelines we now need to add the Service Connection´s ServicePrincipal to the Azure Active Directory Role 'Directory readers'. Investigation ongoing.

ref:
Get AAD Guest Users - try #1; returned: <.code: ''> <.error.code: 'Authorization_RequestDenied'> | <.message: ''> <.error.message: 'Insufficient privileges to complete the operation.'> - (plain : @{error=}) investigate that error!/exit

Getting Context is not set to any Subscription error from Azure Pipelines scheduled run. However manually re-running the Pipeline often causes it to succeed, working fine prior to v5 upgrade.

AzGovVizVersion = v5_major_20210308_3

Context test failed: Context is not set to any Subscription. Set your context to a subscription by running: Set-AzContext -subscription <subscriptionId> (run Get-AzSubscription to get the list of available Subscriptions). When done re-run AzGovViz

I tried to run ADO pipeline using self hosted agent pool with VM Scale Set. The only change I made to yaml file was agent pool name.
Pipeline failed on " Prerequisites check" step. Error message:
"##[error]Unable to locate executable file: 'pwsh'. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable."
VM Scale Set profile using Ubuntu server with 18_04-lts-gen2 plan.

In the subscription detail can we capture the following fields:

Account Owner
Service Administrator
Subscription Contact Information

The following lines is where the script terminates;

Exception: C:\Git\Azure-MG-Sub-Governance-Reporting\pwsh\AzGovVizParallel.ps1:2949
Line |
2949 | $resourceTypesUnique.where( { $_.Name -like 'microsoft.*' }) …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Error - check the last console output for details

CSV files are outputted, but the HTML files are not. The script was also run with the -LargeTenant parameter, but HTML files were not created then either.

Not sure if this is an issue or just how to use the script, but is there any way to exclude a management group from the report?

In our tenant there is a management group for "Visual Studio Subscriptions" which are self-managed by developers (its their visual studio subscriber benefit subscriptions). Some of the things they do in there cause AzGovViz to fail (e.g. they don't register microsoft.insights, which stops the diagnostic log check from working).

Ideally we would report from the top management group down, excluding the "Visual Studio Subscriptions" MG.

fix will be available asap

'/' in the Role definition name :)

Specifically with a Finnish locale, the casts to [datetime] fail with the following error:

InvalidArgument: Cannot convert value "2021-11-18 13.19.27" to type "System.DateTime". Error: "String '2021-11-18 13.19.27' was not recognized as a valid DateTime."

This is a strange issue in PowerShell itself. If you have a date object and convert it to a string like this:

$date_str = $date_object.ToString("yyyy-MM-dd HH:mm:ss")

Then when you attempt to cast it back to an object without specifying the format:

$date_value = [datetime]$date_str

You will get the same error when the locale settings use a period for time separator.

A quick fix is to use ParseExact everywhere, for example like this:

$roleAssignmentsCreated = ($rbacAll | Sort-Object -Property RoleAssignmentId, ObjectId -Unique).where( { -not [string]::IsNullOrEmpty($_.CreatedOn) -and [datetime]::ParseExact($_.CreatedOn, "yyyy-MM-dd HH:mm:ss", $null) -gt $xdaysAgo })

But that's not very clean and is causing a lot of converting in loops. Instead, it would be better to not convert the DateTime values to strings in the first place, for example around line 9420 this:

$createdOn = $customPolicySet.Json.properties.metadata.createdOn.ToString("yyyy-MM-dd HH:mm:ss")

could be left as an object, and then the value converted to string whenever needed for output.